Fix #79797: Use of freed hash key in the phar_parse_zipfile function

We must not use heap memory after we freed it.

(cherry picked from commit 7355ab8)

Author: cmb69

NEWS

@@ -30,6 +30,10 @@ PHP                                                                        NEWS
 - Mbstring:
   . Fixed bug #79787 (mb_strimwidth does not trim string). (XXiang)
 
+- Phar:
+  . Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
+    function). (CVE-2020-7068) (cmb)
+
 - Standard:
   . Fixed bug #70362 (Can't copy() large 'data://' with open_basedir). (cmb)
   . Fixed bug #79817 (str_replace() does not handle INDIRECT elements). (Nikita)

ext/phar/tests/bug79797.phar

@@ -0,0 +1,14 @@
+--TEST--
+Bug #79797 (Use of freed hash key in the phar_parse_zipfile function)
+--SKIPIF--
+<?php
+if (!extension_loaded('phar')) die('skip phar extension not available');
+?>
+--INI--
+phar.cache_list={PWD}/bug79797.phar
+--FILE--
+<?php
+echo "done\n";
+?>
+--EXPECT--
+done

ext/phar/tests/bug79797.phpt

@@ -705,7 +705,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, size_t fname_len, char *alia
 			efree(actual_alias);
 		}
 
-		zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), actual_alias, mydata->alias_len, mydata);
+		zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), mydata->alias, mydata->alias_len, mydata);
 	} else {
 		phar_archive_data *fd_ptr;